LDAP Accounting
Olivier Beytrison
olivier at heliosnet.org
Mon Dec 10 16:51:33 CET 2012
On 10.12.2012 16:27, John Dennis wrote:
> On 12/09/2012 07:33 PM, Arran Cudbard-Bell wrote:
>> Just pushed up a few patches to add LDAP accounting.
>
> Just out of curiosity why are we adding support for "worst practice",
> shouldn't we be encouraging "best practice" via the choice of supported
> configurations?
>
> Maintaining accounting data in LDAP is an abuse of the LDAP design goals
> of "frequent lookup, infrequent modification". Databases were designed
> for the type of data management that radius accounting involves,
> directories were not. Accounting should be in a database, not a
> directory. Directories were designed to solve different problems.
> Maintaining authentication and identity information across an enterprise
> is exactly one of those problems LDAP was designed to handle which makes
> auth/authz lookups in a directory appropriate. Maintaining accounting
> information in a directory is not.
I totally agree with you. But the implementation made by Arran will not
allow you to perform full accounting in LDAP at the moment. But there
are situation where it might be useful to update an attribute. In my
case, I need to get the loginTime updated periodically, like on
accounting-start and stop. I know that it will be done automatically if
I bind as the radius-user, but if possible we don't want to bind, as it
has other consequences.
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: olivier at heliosnet.org
More information about the Freeradius-Devel
mailing list